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NETWORK POLICY DISTRIBUTION 

TECHNICAL FIELD 

This invention relates to network policy distribution. 

BACKGROUND 

For two computers to communicate with each other over a 
5 network, the network systems on the two computers typically 
are configured so that they are compatible. For example, if 
two computers are to encrypt data communicated between them, 
both computers may use the same encryption and decryption 
methods. For small networks with simple computers, an 

10 operator may manually configure the network systems at each of 
the computers . 

Alternatively, a policy server computer on the network 
may configure the network systems of the computers on the 
network. The network configuration data for the computers are 

15 stored in policy files or in a policy database on the policy 
server. The policy server configures the network systems of 
the computers by transmitting configuration data from the 
policy files or database to the computers. Policy clients on 
the computers may then change the network configuration of the 

20 computers using the transmitted configuration data. 

For a policy client to configure a network system using a 
policy file, the policy file is typically formatted in a 
particular way. The rules for formatting a policy file are 
referred to as a schema. Different clients may require 

25 different policy files formatted according to different 
schemas . 



DESCRIPTION OF DRAWINGS 

FIG. 1 is a block diagram of a network of computers 
according to the invention; 
30 FIG. 2 shows a first part of a network policy according 

to a first version; 



1 



ATTORNEY DOCKET: 1 0559/29900 1/P93 10 



FIG. 2 shows a first part of a network policy according 
to a first version; 

FIG. 3 shows a schema of the first version of the network 
policy; 

5 FIG. 4 shows a schema of a second version of a network 

policy; 

FIG. 5A shows a second part of the network policy of FIG. 
2 and a translation specification; 

FIG. 5B shows a translated version of the network policy 
10 of FIG. 1; 

FIG. 6 is a flow chart of the process implemented by the 
server of FIG. 1; 

FIG. 7A is a flow chart of the process implemented by one 
of the clients of FIG. 1; and 
15 FIG. 7B is a flow chart of the process implemented by 

another one of the clients of FIG. 1. 

DETAILED DESCRIPTION 

As shown in FIG. 1, a network 10 connects client 
computers 12, 14, 16 to a server 18. The server 18 has a 

20 processor 20 for executing computer programs, a network 

interface 24 for communicating over the network 10, and a 
storage subsystem 22. Storage subsystem 22 may include a 
CDROM drive, floppy disk, hard disk, hard disk array, memory, 
and so on. Processor 20 may cause the network clients 12-16 

25 to change their network configurations by executing policy 
server 26 software, stored within storage subsystem 22. 

Policy server software 26 is associated with a network 
policy 30, which includes a particular version 34 of a network 
configuration 32 and a timestamp 35 indicating the time that 

30 the network configuration 32 was created. The network 

configuration 32 is used to configure the clients 12, 14, 16. 
The clients 12, 14, 16 may differ from each other, for 
example, because they are from different manufacturers or have 
different operating systems. Consequently the clients may 

35 require different versions of the network configuration 32. 
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The policy 30 includes a specification 36 for translating the 
network configuration 32 from the particular version 34 to 
another version of the policy that may be required by the 
clients 12, 14, 16. The policy 3 0 may contain multiple 
5 translation specifications 35 to allow the policy to be 
translated into many different versions. 

The policy server software 26 also includes a policy 
transmitter 40 that transmits the policy 3 0 over the network 
10 to the client computers 12, 14, 16 and a policy translator 

10 42 that can be used to translate the network configuration 32 
using the translation specification 36 for client computers 16 
that cannot do the translation. 

The client computers 12, 14, 16 each contain a network 
interface 52a, 52b, 52c for communicating with the network 10, 

15 a storage subsystem 53a, 53b, 53c, and a processor 54a, 54b, 
54c for executing software stored within the storage 
subsystem. The software sends and receives data over the 
network through a network system 56a, 56b, 56c and the network 
interface 52a, 52b, 52c. Policy client software 58a, 58b, 

20 58c, Stored within the storage subsystem 53a, 53b, 53c 

configures the network system 56a, 56b, 56c using the network 
policy 30 transmitted by the server 18. 

Policy client software 58a, 58b, 58c includes a network 
configurator 60a, 60b, 60c that receives the policy 30 from 

25 the server 18 and uses the policy 3 0 to configure the network 
system 56a, 56b, 56c. Network configurator 60a, 60b, 60c also 
records a timestamp 57a, 57b, 57c associated with the network 
policy 3 0 that was used to configure the network system 56a, 
56b, 56c in the network system. Each network configurator 

30 60a, 60b, 60c is associated with a particular ""schema 62a, 
62b, 62c of the network configuration 32. A network 
configurator may not be able to configure a network interface 
with a policy file that is configured according to a different 
schema from the one that is expected by the network 

35 configurator. The schemas 62a, 62b, 62c of the network 
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clients are assigned version numbers 64a, 64b, 64c to 
distinguish one schema from another. 

Clients 12, 14 have a policy translator 70a, 70b, which 
uses the translation specification 36 contained within the 
5 policy 3 0 to translate the network configuration 32 contained 
within the policy 30 to the version 64a of the schema 62a, 62b 
associated with the client 12, 14. The network configurator 
60a, 60b then configures the network system 56a, 56b using the 
translated policy. Thus, sending the translation 

10 specification 3 6 to the clients 12, 14 along with the network 
configuration allows the same policy 3 0 to be used in 
configuring clients that may have different policy versions. 
Since only one policy 30 is maintained on the server, the 
amount of effort and resources needed to maintain the policy 

15 3 0 is reduced. Traffic within the network 10 may also be 

reduced by broadcasting the policy 30 to both clients 12, 14 
in the same transmission. 

Client 16 is not equipped with a policy translator. If 
the policy 30 does not have the same version 64c as client 16, 

20 client 16 sends a policy error 71 to the server 18. The 
policy translator 42 on the server 18 then translates the 
policy 30 into the version 64c associated with the client 16 
and transmits the translated policy 72 to the client 16. The 
network configurator 60c of the client 16 uses the translated 

25 policy 72 to configure the network system 56c. Thus the 

policy 30 can be used with a client 16 that is not equipped to 
translate the policy. 

The policy 3 0 may, for example, be represented in a tag- 
based language such as the extensible Markup Language (XML) , 

30 HyperText Markup Language (HTML) , or Standard Generalized 

Markup Language (SGML) . The invention will be described with 
reference to an implementation where the policy is represented 
as an XML file with the translation specification being 
represented in an extensible Stylesheet Language (XSL) file. 

35 The policy translators 40, 70a, 70b are extensible Stylesheet 
language translators (XSLT) . XML and XSL are document 
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formatting and translating languages promulgated by the World 
Wide Web Consortium (W3C) . XSL translators are easily 
available because XSL is used in many different applications. 
For example, the XSL translator included in Internet Explorer 
5 by Microsoft Inc. may be used as a policy translator 40, 70a, 
70b. 

As shown in FIG. 2, a network policy 30 specifies the 
version 34 of a schema to which the policy 3 0 conforms and a 
timestamp 35 indicating the creation time of the policy. 

10 Policy 30 conforms to a schema version 1.1. Policy 30 has 

network configuration data 32 for configuring network systems 
56a, 56b, 56c (FIG. 1) of client computers. Network 
configuration data 32 includes network data encryption 
settings 90 that network systems 56a, 56b, 56c (FIG. 1) may 

15 use when communicating with another computer. The network 
systems 56a, 56b, 56c of a client computer 12, 14, 16 
configured according to the policy 30 proposes a first network 
setting 90a as an encryption setting for communication between 
the client computer 12, 14, 16 and another computer. If the 

20 first setting 90a is unacceptable to the other computer, the 
network system 56a, 56b, 56c propose a second setting 90b to 
the other computer. The first setting 90a proposes a pre- 
shared 92a authentication method with a DES 94a cipher 
algorithm, an MD5 hash algorithm 96a and a group identity 98a 

25 of DH768. The second setting 90b proposes a ""DSS signatures'' 
92b authentication method with a ""Rjindael'' 94b cipher 
algorithm, an SHA-1 hash algorithm 96b and a group identity 
98b of DH1024. 

As shown in FIG. 3, the schema 100 for the policy 30 

30 (FIG. 2) lists the requirements 101 for the attributes of a 
network-setting proposal in the policy 30. According to the 
schema, an ID 102 is required 104 for each proposal. A 
cipher algorithm 108 selected from ""3DES,'' ""DES," ""IDEA," 
""Blowfish, " ""RC5," ""CAST," and ""Rjindael" 110 is also 

35 required. A hash algorithm 114, a Group ID 116, and an 

authentication method 118 respectively selected from lists 
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120, 122, and 124 are also required in the network setting 
proposal. Schema 100 specifies an arrangement of a version 
""1.1'' policy file that can be used by the network 
configurator 60a, 60b, 60c. A network configurator may not be 
5 able to configure a network system with a policy file that 
does not conform to the schema of the network configurator. 

As shown in FIG. 4, an older schema 130 associated with 
version ""1.0'' network policies does not include the 
""Rjindael" algorithm 94b of policy 3 0 (FIG. 2) in the list 

10 132 of cipher algorithms 134. Consequently, a network 

configurator associated with the older schema 130 cannot 
configure a network system using policy 30. 

As shown in FIG. 5A, an XSL translation specification 3 6 
(see also FIG. 1) may be used to translate policy 30 to an 

15 older version ""1.0'' which conforms to the older schema 130. 
The specification includes a set 142 of statements that 
replace instances of the ""Rjindael" cipher algorithm with the 
""3DES" algorithm, which is defined in the older schema 130. 
A statement 142a in the set 142 directs a policy translator to 

20 check whether a policy has ""Rjindael" defined as a cipher 

algorithm and another statement 142b directs policy translator 
to change the cipher algorithm to change the cipher algorithm 
from ""Rjindael" to ""3DES. " Thus the specification 36 
directs a policy translator to translate a policy from version 

25 1.1 to version 1.0. A statement 146 directs the policy 

translator to change the policy so that it reflects the older 
schema version 1.0. 

FIG. 5B shows the translated policy 72 resulting from 
translating policy 30 (FIG. 2) based on specification 36. As 

30 shown in FIG. 5B, the version number 150 has been changed from 
""1.1'' to ""1.0" and the cipher algorithm 160 has been 
changed from ""Rjindael" to ""3DES." However, the timestamp 
35 of the policy 72 has not been changed because the 
translation process does not affect the creation date of the 

35 policy. The translated policy 72 may be used by clients 12, 
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14, 16 (FIG 1) that require a policy that conforms to the 
schema 13 0 of FIG. 4. 

As shown in FIG. 6, the server 18 begins the process of 
configuring the clients 12, 14, 16 by broadcasting (600) the 
5 network policy 3 0 on the network 10, so that the policy 3 0 is 
received by all the clients 12, 14, 16. By sending the policy 
30 to the clients 12, 14, 16 in a single transmission, the 
server reduces the network traffic needed to configure the 
clients. The server 18 then checks (602) whether a policy 

10 error 71 has been received from any of the client computers 
12, 14, 16. If a policy error 71 has not been received, the 
server 18 continues to wait for an error 71. 

Otherwise the server 18 determines (604) the address of 
the client computer 16 that sent the policy error 71 from the 

15 information contained within the policy error. The server 18 
also extracts (606) the version 64c of the schema 62c of the 
client from the information contained within the policy error 
71. Upon extracting the version 64c, the policy translator 40 
on the server 18 translates (608) the network configuration 32 

20 of the policy 3 0 to the version 64c using the translation 
specification 3 6 to produce a translated policy 72. The 
server transmits (610) the translated policy 72 to the client 
computer 16 and stops the process. 

As shown in FIG. 7A, the process of configuring a client 

25 12, 14 that includes a policy translator 70a, 70b begins when 
the client 12, 14 receives (700) a policy 30 from the server 
18. The client 12, 14 extracts (701) the timestamp 35 from 
the policy 3 0 and checks (702) whether the timestamp 35 is 
greater than the timestamp 57a, 57b of a network policy that 

30 was previously used to configure the network systems 56a, 56b 
of the clients. A greater timestamp 35 indicates that the 
policy 3 0 was created more recently than the policy that was 
previously used to configure the network systems 56a, 56b of 
the clients. If the timestamp 35 is not greater, the client 

35 12, 14, terminates the configuration process. 
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Otherwise, if the timestamp 3 5 is greater, the client 12, 
14 extracts (703) a schema version 34 from the policy 3 0 and 
checks (704) if the extracted schema version 34 is the same as 
the version 64a, 64b associated with the client 12, 14. If 
5 the extracted schema version 34 is the same as the version 
64a, 64b of the client 12, 14, the network configurator 60a, 
60b of the client 12, 14 configures (710) the network system 
56a, 56b of the client using the policy 30. 

Otherwise, if the extracted schema version 34 is not the 

10 same as the version 64a, 64b of the client 12, 14, the policy 
client 58a, 58b extracts (706) the translation specification 
3 6 from the policy 30 and translates (708) the network 
configuration 32 of the policy 30 using the extracted 
specification 36. The network configurator 60a, 60b of the 

15 client 12, 14 then configures (710) the network system 56a, 
56b of the client using the translated policy. 

As shown in FIG. 7B, the process of configuring a client 
16 that does not have a policy translator also begins when the 
client 16 receives (749) a policy 30 from the server 18. The 

20 client extracts (750) a timestamp 35 from the policy 30, and 
checks (751) whether the timestamp 35 is greater than the 
timestamp 57c of a network policy that was previously used to 
configure the network systems 56c of the client 16. If the 
timestamp 35 is not greater, the client 16 terminates the 

25 process . 

Otherwise, if the timestamp 35 is greater, the client 16 
extracts (752) a schema version 34 from the policy 3 0 and 
checks (754) if the extracted schema version 34 is the same as 
the version 64c associated with the client 16, If the 

30 extracted schema version 34 is the same as the version 64c of 
the client 16, the network configurator 60c of the client 16 
configures (760) the network system 56c of the client using 
the policy 3 0 and terminates the process. 

Otherwise, if the extracted schema version 34 is not the 

35 same as the version 64c of the client 16, the client 16 waits 
(756) for a predetermined waiting period and then checks (758) 
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whether a translated policy 72 has been received from the 
server 18. By waiting for the predetermined period, the 
client 16, can receive a translated policy that was broadcast 
or transmitted (610 FIG. 6) from the server to another client 
5 (not shown) which also does not have a policy translator. The 
different clients are configured to wait for different 
predetermined periods so that client computers with longer 
waiting periods can configure their network systems with 
translated policies which are sent by the server in response 
10 to policy errors from clients with shorter waiting periods. 
This reduces the number of policy errors and translated 
policies sent over the network, thereby reducing the network 
traffic . 

If a translated policy 72 has not been received, the 
15 policy client 58c sends (759) a policy error 71 to the server 
18 and then checks (758) if a translated policy has been 
received. Otherwise, if a translated policy 72 has been 
received, the client 16 extracts 750 a timestamp from the 
translated policy and repeats the process (751-760) described 
20 above . 

Other embodiments are within the scope of the following 
claims. For example, the policy 3 0 and its translation 
specification 36 may not be sent in a single file. Instead, 
the policy and the specification may be sent in two separate 

25 files, allowing the same specification 36 to be used with two 
different policies 30. The server 18 may be configured to 
transmit the translated policy 72 to a single client 16 
instead of broadcasting the translated policy 72 to multiple 
clients in the network 10, In such a single re-transmission 

30 network, the configuration process (FIG. 7B) for a client 16 
that does not have a policy translator would not include 
waiting (756) for a delay time before sending (759) a policy 
error. 
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WHAT IS CLAIMED IS: 



1 1. A method, comprising: 

2 receiving a specification for translating a network 

3 policy from a first schema to a second, different schema; 

4 translating the network policy into the second different 

5 schema based on the specification; and 

6 configuring a network system based on the translated 

7 policy. 

1 2 . The method of claim 1 wherein the network policy is 

2 represented in a tag-based language. 

1 3, The method of claim 1 wherein the specification is received 

2 in a file from a policy server. 

1 4. The method of claim 3 wherein the file also contains the 

2 policy. 

1 5. An article comprising a machine-readable medium which stores 

2 machine -executable instructions for checking events 

3 performed by a device, the instructions causing a machine 

4 to: 

5 receive a specification for translating a policy from a 

6 first schema to a second different schema; 

7 translate the network policy into the second different 

8 schema based on the specification; and 

9 configure a network system based on the translated 
10 policy. 

1 6. The article of claim 5 wherein the network policy is 

2 represented in extensible Markup Language and the 

3 specification is represented in extensible Stylesheet 

4 Language . 

1 7. The article of claim 5 wherein the specification is received 

2 in a file from a policy server. 



10 



ATTORNEY DOCKET: 10559/299001/P9310 



1 8 . The article of claim 5 wherein the file also contains the 

2 policy. 

1 9 , An apparatus comprising: 

2 a memory which stores computer readable instructions; and 

3 a processor which executes the computer readable 

4 instructions to : 

5 receive a specification for translating a policy 

6 from a first schema to a second, different schema; 

7 translate the network policy into the second 

8 different schema based on the specification; and 

9 configure a network system based on the translated 
10 policy. 

1 10. The apparatus of claim 9 wherein the network policy is 

2 represented in extensible Markup Language and the 

3 specification is represented in extensible Stylesheet 

4 Language . 

1 11. The apparatus of claim 9 wherein the specification is 

2 received in a file from a policy server. 

1 12. The apparatus of claim 9 wherein the file also contains 

2 the policy. 

1 

1 13. A method, comprising: 

2 storing a network policy for configuring a network system 

3 according to a first schema; 

4 storing a specification for translating the network 

5 policy from the first schema to a second different schema; 

6 translating the network policy into the second different 

7 schema based on the specification; and 

8 sending the translated network policy to a client 

9 computer. 



11 



ATTORNEY DOCKET: 10559/299001/P9310 



1 14. The method of claim 13, further comprising: 

2 prior to translating the network policy: 

3 sending the network policy to the client computer; 

4 sending the specification for translating the 

5 network policy to the client computer; and 

6 receiving an indication that the client computer 

7 cannot translate the network policy. 

1 15. The method of claim 13 wherein the network policy is 

2 represented in extensible Markup Language and the 

3 specification is represented in extensible Stylesheet 

4 Language . 

1 16. The method of claim 13 wherein the network policy and the 

2 specification are stored in one file. 

1 17. An article comprising a computer- readable medium which 

2 stores computer-executable instructions for checking events 

3 performed by a device, the instructions causing a machine 

4 to: 

5 store a network policy for configuring a network system 

6 according to a first schema; 

7 store a specification for translating the network policy 

8 from the first schema to a second different schema; 

9 translate the network policy into the second different 

10 schema based on the specification; and 

11 send the translated network policy to a client computer, 

1 18. The article of claim 11, wherein the instructions further 

2 cause the machine to: 

3 prior to translating the network policy: 

4 send the network policy to the client computer; 

5 send the specification for translating the network 

6 policy to the client computer; and 

7 receive an indication that the client computer 

8 cannot translate the network policy. 
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1 19. The article of claim 17 wherein the network policy is 

2 represented in extensible Markup Language and the 

3 specification is represented in extensible Stylesheet 

4 Language . 

1 20. The article of claim 17 wherein the network policy and 

2 the specification are stored in one file. 

1 21. An apparatus comprising: 

2 a memory which stores computer readable instructions; 

3 a processor which executes the computer readable 

4 instructions to : 

5 store a network policy for configuring a network 

6 system according to a first schema; 

7 store a specification for translating the network policy 

8 from the first schema to a second different schema; 

9 translate the network policy into the second different 

10 schema based on the specification; and 

11 send the translated network policy to a client computer. 

1 22. The apparatus of claim 21 wherein, prior to translating 

2 the network policy, the processor executes the instructions 

3 to: 

4 send the network policy to the client computer; 

5 send the specification for translating the network 

6 policy to the client computer; and 

7 receive an indication that the client computer 

8 cannot translate the network policy. 

1 23. The apparatus of claim 21 wherein the network policy is 

2 represented in extensible Markup Language and the 

3 specification is represented in extensible Stylesheet 

4 Language . 

1 24. The apparatus of claim 21 wherein the network policy and 

2 the specification are stored in one file. 
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1 25, A method of configuring a network comprising: 

2 transmitting a network policy according to a first schema 

3 and a specification for translating the network policy from 

4 the first schema to a second different schema from a server; 

5 receiving the network policy and the specification on a 

6 first client computer; 

7 translating on the client computer the network policy 

8 from the first schema to the second different schema using 

9 the specification; and 

10 configuring the network system on the first client 

11 computer using on the translated network policy. 

1 26. The method of claim 25 further comprising: 

2 receiving the network policy on a second client computer; 

3 and 

4 configuring the network system on the second client 

5 computer using on the network policy. 

1 27. The method of claim 25 further comprising: 

2 receiving the network policy on a third client computer; 

3 transmitting to the server an indication that the third 

4 client computer cannot translate the network policy; 

5 translating on the server the network policy from the 

6 first schema to the second different schema using the 

7 specification; and 

8 transmitting the translated network policy to the third 

9 client computer. 

1 28. The method of claim 27 wherein the network policy is 

2 represented in extensible Markup Language and the 

3 specification is represented in extensible Stylesheet 

4 Language . 

1 29. The method of claim 27 wherein the network policy and the 

2 specification are contained in one file. 

1 30. A method of creating a file for configuring a network 

2 system comprising: 

14 
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3 adding network data to the file; and 

4 adding a specification for translating the network data 

5 from a first schema to a second schema. 
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ABSTRACT 

A method includes receiving a specification for 
translating a network policy from a first schema to a second, 
different schema and translating the network policy into the 
second different schema based on the specification. A network 
system is configured based on the translated policy, 

20128271.doc 
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